I recently wanted to install nginx to my CentOS 6 box. Then found out that nginx is not present in the base repositories, so I pulled it from EPEL. Then checked the changelog using yum changelog all nginx with the following result.

Then checked for the latest stable version of the 1.10 branch of nginx at their official download page. So I realized that the package EPEL supplies from nginx is almost a year old (1.10.2) and does not include these fixes.

*) Bugfix: graceful shutdown of old worker processes might require infinite time when using HTTP/2.

*) Bugfix: when using HTTP/2 and the "limit_req" or "auth_request" directives client request body might be corrupted; the bug had appeared in 1.10.2.

*) Bugfix: a segmentation fault might occur in a worker process when using HTTP/2; the bug had appeared in 1.10.2.

*) Bugfix: an incorrect response might be returned when using the "sendfile" directive on FreeBSD and macOS; the bug had appeared in 1.7.8.

*) Bugfix: a truncated response might be stored in cache when using the "aio_write" directive.

*) Bugfix: a socket leak might occur when using the "aio_write" directive.

And the absence of the bugfixes made me think that using the old nginx from EPEL could also result in a security breach.

So I Googled "nginx on centos 6" and found out that nginx has its own CentOS 6 repositories, so all I need to do is to import them into /etc/yum.repos.d and everything will work fine.

The next problem is Xfce 4 which I really like and don't want it to have a GTK3 interface which I do have by default on CentOS using EPEL releases. However, EPEL releases don't always ship all the bug fixes (as mentioned previously: nginx) so I would not want to use EPEL as an enabled repo for system-wide. My /etc/yum.repos.d/epel.repo looks like this.

I would rather like to use the following workflow for installing packages.

Do a yum search pkg to find out whether it exists in the base repository consisting of well-tested and really stable packages (sourced from RHEL 6). If the package is there, just install it, problem solved.

If the package is not in the base repository, I look it up on the internet whether the creators maintain an own repository for CentOS 6 (like nginx does). If I find such an official repo, I'll pull it under /etc/yum.repos.d and install the package from there.

If there are no official repos, I fall back to EPEL using yum --enablerepo=epel install pkg.

How can I keep my EPEL packages up to date without enabling the EPEL repo by default?

How can I force yum to only upgrade those packages from EPEL that were previously installed from EPEL (for example if an nginx package in the official nginx repo has a lower version number, I don't want it to be overwritten from EPEL)?

How can I create a .repo file for EPEL under /etc/yum.repos.d that is enabled by default but only valid for a single package and its dependencies? So if I want to update my system with yum update, it should only check for Xfce (and its dependencies) from EPEL, without passing --enablerepo=epel as an argument.

includepkgs= implies exclude=* for everything that is not mentioned so it should exclude everything from that repo that doesn't match the pattern you give. It is probably case sensitive so Xfce doesn't match any of the packages which are all xfce*.

You do need to add includepkgs= under the [heading] for the correct repo of course.

CentOS 5 died in March 2017 - migrate NOW!Full time Geek, part time moderator. Use the FAQ Luke

I know that and I could take it into effect. However, I can't make it work for package groups, like Xfce. Xfce with capital X refers to a package group while package names have non-capital letters, like xfce4-session. I install package groups using yum groupinstall pkg_group. That would include all dependencies for Xfce. Otherwise I would have to enumerate it all by hand which would result in a really long, unmaintainable list (e.g. if dependencies change due to a package split or something done by the package maintainers).

Btw, how can I tell yum to include the dependencies as well when specifying a package using includepkgs= ? So that I don't need to track them down by hand.